Intro

Major FortiOS releases bring a lot of new, useful features, but are most scary to the majority of customers. It's normal, that some core FortiOS functions are redesigned and after an upgrade, can cause a huge admin headache if not migrated properly. In FortiOS 5.6, an SSL/SSH Inspection module was redesigned under the hood. For the FortiGate admin, the main difference is the fact, that SSL/SSH Inspection module is required when using any UTM feature in a policy. You can't uncheck it.

Tech Details

Let's take a look at simple policy, created in FortiOS 5.4.5:

FortiOS 5.4.5 policy view
config firewall policy
    edit 1
        set name "Internet Access"
        set uuid a1effa9a-e508-51e9-bdf4-922bf98df8f6
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set av-profile "default"
        set profile-protocol-options "default"
        set nat enable
    next
end

Notice, that we enabled AV Profile for that traffic. Now, we upgrade that box to FortiOS 5.6.2 (straight upgrade). Device reboots, we check policy and a surprise:

FortiOS 5.6.2 policy view
config firewall policy
    edit 1
        set name "Internet Access"
        set uuid a1effa9a-e508-51e9-bdf4-922bf98df8f6
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set av-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection" <-- NEW and REQUIRED!
        set nat enable
    next
end

The policy is using a default SSL cert inspection profile. In most of cases, you would be fine. The problem might be with webpages that use a cert which is not trusted. Below a list of steps that FortiGate takes to verify a certificate:

  1. verify SNI sent by the server in a HELLO message
    🔹if there is no SNI, then verify Subject
    🔹NOTE: FGT is not validating the Subject Alternate Name
  2. check if there is corresponding CA certificate in the database signature verification
    🔹NOTE: FortiGate is using a Mozilla certificate store
  3. dates validation
  4. revocation list (CRL)

Using the above logic, you can evaluate if the certificate will be trusted by a FortiGate.

default SSL Inspection profile

Recommendation

Before you perform an upgrade, find all rules with UTM features enabled that have SSL Inspection turned off. Make a note and verify if they properly process traffic after an upgrade.